[8.7](backport #35049) [Winlogbeat] Document 21 Event ID clause limit…

… under certain situations (#35055) - Added note in documentation about a situation where the event ID clause limit is lower than the claimed 22 clause limit. (cherry picked from commit b2a3aba) --------- Co-authored-by: Taylor Swanson <90622908+taylor-swanson@users.noreply.github.com> Co-authored-by: Taylor Swanson <taylor.swanson@elastic.co>
elastic · Apr 11, 2023 · 635b9e8 · 635b9e8
1 parent 410db79
commit 635b9e8
Show file tree

Hide file tree

Showing 2 changed files with 6 additions and 1 deletion.
diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc
@@ -140,6 +140,7 @@ https://github.com/elastic/beats/compare/v8.2.0\...main[Check the HEAD diff]
 
 *Winlogbeat*
 
+- Add note in documentation about 21 event ID clause limit {issue}35048[35048] {pull}35049[35049]
 
 *Elastic Log Driver*
 

diff --git a/winlogbeat/docs/winlogbeat-options.asciidoc b/winlogbeat/docs/winlogbeat-options.asciidoc
@@ -251,7 +251,11 @@ logs.
 `WARN EventLog[Application] Open() error. No events will be read from this
 source. The specified query is invalid.`
 
-If you have more than 22 event IDs, you can workaround this Windows limitation
+In some cases, the limit may be lower than 22 conditions. For instance, using a
+mixture of ranges and single event IDs, along with an additional parameter such
+as `ignore older`, results in a limit of 21 conditions.
+
+If you have more than 22 conditions, you can workaround this Windows limitation
 by using a drop_event[drop-event] processor to do the filtering after
 {beatname_uc} has received the events from Windows. The filter shown below is
 equivalent to `event_id: 903, 1024, 4624` but can be expanded beyond 22